On Sun, Sep 25, 2016 at 03:12:00PM -0400, Alex wrote: > Hi, I'm seeing quite a few FPs with HTTPS_HTTP_MISMATCH and its score > of 2.0. Isn't that kind of high for a rule that doesn't even have a > description? > > Can someone explain what the rule does, and consider whether its score > should be adjusted? > > Thanks, > Alex
>From my quick glance over the code, it looks like that rule is meant to trigger when a link presents its text as an https://... link, however the actual link is to an http://... URL. Like this: <a href="http://spammersite.com/virus";>https://www.email-service.com/login</a> The only place I would imagine false positives arising from this rule would be if an email sender uses some sort of automatic link replacement (e.g. for click-through tracking) that doesn't support https. And I personally am inclined to agree that an email that mis-represents insecure links as secure should be considered suspisious. Contact the senders of the flagged emails and ask them to fix their systems. Spam or not, that is a real problem. --Sean
